Businessman in uncertainty with broken bridge

Innovation and Security for Online Casinos: A Dangerous Dilemma

Online casino operators are business mammoths fighting each other using heavy marketing. However, these brands you join and gamble on do not generally create the games you bet on (i.e., slots, live blackjack, bingo). Instead, they buy portfolios of games from expert game developers such as NetEnt, Microgaming, and Inspired Entertainment.

So, how do gambling operators differentiate themselves if they all have access to the same game selection? Well, top online casino sites are happy to pay top dollars for exclusive deals on the newer games. They need that constant stream of new games to keep gamblers interested. The alternative is to let them sign up to a competitor and potentially lose their custom.

Cybersecurity is always delicate when your business, or your closest partners, need to move at high speed in order to release new products on a regular schedule. Game developers need to quickly go from ideation to launch, and it’s a never-ending cycle.

Multiple high-risk threats, at all times

Startups, regardless of their vertical, tend to build software fast. Data breaches are often found to originate from oversight in postmortems. Yet, as horrendous as a data breach is for a company’s credibility and PR, it’s not draining dollars from its accounts by the second, or by the spin.

Online slots and, more generally, online casinos are the targets of cyberattacks and serious hack attempts pretty much on an hourly basis. The numerous angles attacks come from require incredible attention to detail and planning from the software engineers.

First, you have hackers trying to hack the random number generators and hashing mechanisms in order to increase their edge in slot games. Secondly, you have ideological groups trying to take down –by any means necessary– your business as they deem it immoral. Third, you have a customer base and customer data that is a lot more valuable than your average startup’s which also attract ill-willed hackers.

Pen testing in the online gambling industry

In these scenarios, you tend to have a handful of moving parts: your own systems, your clients, your trusted game developers’ systems, your physical infrastructure provider, and everything gluing these together. From your own data center staff to the game provider’s premises, it’s a massive number of doors to guard.

Penetration testers are commonly hired by the first-party (the casino operator) as well as by third-parties. Often, this is contractually required. There is too much at stake here to only audit systems every few months just so the box is ticked.

Each spin triggers a cascade of API calls – each one of these is pure joy for a pen tester! Chaos engineering is a practice that many gambling operators and slot providers love. Let’s shoot ourselves in the foot by leaving a door open, and let’s ensure that intruders still can’t access sensitive data then.

Shaun, from betandbeat, explained that “Legitimate gambling platforms tend to help pen testers perform a thorough network assessment across all first and third-party endpoints including DDoS mitigation of mission critical services. Then, they ensure compliance with the Payment Card Industry Data Security Standard as it is a cornerstone legal liability. Finally, malicious inputs and crumbs left by error messages are obvious starting points for pen testers attacking from outside of the casino site’s premises (as opposed to physically accessing a slot machine, or a data center, or even a private network).”

Machine learning to help detect abnormal patterns

Streams of data flow for training and inference in an online casino. From the spin frequency, to the betting patterns, to the pointer’s movement, as many data points as possible are needed in order to guarantee the level of cleanliness a client, or transaction presents.

The benefit here is that even in the event of a massive exploit being used to trigger winning spins, these monitoring tools can quickly ring the alarm bell when an abnormal pattern is detected and simply block any communication with the current client, and trigger the appropriate response (account being locked, email being sent, or perhaps simply having a human check this out quickly).

For bad actors to drain an online casino from its resources, they would need to disarm both the game’s safety mechanisms and the monitoring. These strategies are part of a comprehensive cybersecurity engineering strategy.

So, speed or security? Both

Whilst the average startup won’t be able to absorb such high security costs, they are easily justifiable for a legitimate online casino site (black market sites are a lot laxer on security as you would expect). Operators have dozens of game providers to choose from and these game developers are also competing with each other in showing how thorough their vetting process is.

The multiple independent audits online betting and gambling sites go through are advanced and often come back with great feedback for the security-conscious engineering teams. Independent audits are mandatory in most jurisdictions and oversight is performed by the gambling regulator. Additionally, hefty fines are given to operators who failed to ensure the protection of their customer data.

All in all, gamblers can be confident their money is safe from bad actors on gambling sites. The likelier risk is more to just lose it all by having one too many bets!


Staff Writer at CPO Magazine